Thunderbolt flaw exposes millions of PCs to attack

Thunderbolt ports can be exploited by anyone who gains physical access to any PC built before 2019, with attackers able to read and copy all data on the device.

Attackers can bypass the login screens of locked computers, as well as hard drive encryption on Windows and Linux PCs with Thunderbolt ports to gain access to data stored on the device. Some Mac devices are also affected.

Should hackers be within physical proximity of a device, they can unscrew the backplate, attach a device, reprogramme the firmware and gain full access to the laptop, according to security researcher Björn Ruytenberg.

These ‘Thunderspy’ attacks, Ruytenberg continued, rely on seven vulnerabilities found so far, ranging from weak device authentication schemes, to use of unauthenticated device metadata, to no Thunderbolt security on Boot Camp.

“Despite our repeated efforts, the rationale to Intel's decision not to mitigate the Thunderspy vulnerabilities on in-market systems remains unknown,” Ruytenberg said.

“Given the nature of Thunderspy, however, we believe it would be reasonable to assume these cannot be fixed and require a silicon redesign. Indeed, for future systems implementing Thunderbolt technology, Intel has stated they will incorporate additional hardware protections.”

All systems equipped with USB-C ports with Thunderbolt technology shipped between 2011 and 2020 are vulnerable. All Apple Macs released from 2011, apart from Retina MacBooks, offer Thunderbolt connectivity and are also therefore vulnerable.

Some systems manufactured in 2019 with Kernel direct memory access (DMA) Protection, however, are safeguarded against Thunderspy attacks, but only partially. Kernel DMA Protection doesn’t mitigate against all vulnerabilities, the researcher added.

As a result, effectively, all devices released before 2019 remain fully vulnerable to Thunderspy forever, including those manufactured last year without Kernel DMA Protection.

“We constantly monitor the security landscape and value work that help us identify new potential threats,” an HP spokesperson told IT Pro.

“Our existing security bulletin provides home PC mitigations for open case DMA pre-boot type attacks. It’s important to remember that such attacks require physical access to the device. The security of our customers is always a top priority and we always encourage people to keep their systems up to date.”

"Dell is aware of the Thunderbolt security research described by researchers as “Thunderspy.”," a spokesperson told IT Pro. "Dell Client Consumer and Commercial platforms that shipped starting in 2019 have Kernel DMA protection when SecureBoot is enabled."

"Since this attack requires physical access, we recommend customers follow security best practices and prevent unauthorized physical access to devices."

Cyber security specialist with ESET, Jake Moore, said Thunderspy is an impressive attack, adding it’s difficult to defend against as there's very little that could mitigate it.

“There is still some simple advice that can be effective: you should never leave your computer unattended for any given time,” he said. “Luckily, given the current social distancing in place, it would seem only your household could be the hacker culprits.

“Being able to alter the firmware of the internal chip and changing the security settings to allow access to any device is impressive, and although Thunderbolt port attacks are nothing new, they can be extremely damaging and infuriatingly difficult to patch.

“Therefore, in the meantime, I would advise that users avoid connecting unknown or untrusted devices to PC ports, and that the Thunderbolt port isn’t used by those who still work around people or who may be particularly vulnerable to an attack.”

Intel has confirmed it was approached in February with reports of 'Thunderspy' attack, and that researchers were not able to demonstrate successful exploitation with Kernel DMA Protection mitigation enabled.

"For all systems, we recommend following standard security practices, including the use of only trusted peripherals and preventing unauthorized physical access to computers," Intel's Director of Communications Jerry Bryant said.

"As part of the Security-First Pledge, Intel will continue to improve the security of Thunderbolt technology, and we thank the researchers from Eindhoven University for reporting this to us."